How do I give administrators access to a folder without destroying current permissions?

Some careful digging reveals that taking ownership sometimes destroys existing permissions and sometimes doesn't. It all seems to depend on whether you try and do it recursively. Note that Windows does warn you when it is going to replace the existing permissions, but (in the GUI at least) it's very easy to just OK the message without reading or understanding it fully.

To see it, you'll need a directory (c:\SomeFolder in this example) that is owned by a different user account and to which you and the administrators group have zero access.

Command Line

Using the command line "takeown" tool:

TAKEOWN /A /R /F c:\SomeFolder

you should see something like

SUCCESS: The file (or folder) "c:\SomeFolder" is now owned by the administrators group.

You do not have permissions to read the contents of the directory "c:\SomeFolder"

Do you want to replace the directory permissions with permissions granting you full control ("Y" for YES, "N" for NO, "C" for CANCEL)?

Note that if you answer yes here, it really does mean replace the permissions. Any existing permissions will get destroyed. If you answer no, you still have no permissions on the folder but are now the owner so can give yourself permissions normally and without destroying any that already exist.

If you don't specify the recursive flag (/R), you don't get the warning and the owner is changed without affecting any other permissions.

GUI

You'll need to use the "security" tab of the properties window to alter anything via the GUI. This gives you two buttons: "continue" and "advanced". Advanced gives you a window with the four tabs: "permissions", "auditing", "owner" and "effective permissions". Continue gives you just the "owner" tab.

If you select a new owner and tick the "apply to sub-folders" box, hitting OK or apply gives you a "Do you want to replace the permissions" message box that, again, really does mean replace permissions. If you don't check the sub-folders box, you don't get the warning and everything behaves as expected.

It is very easy to not read this message box fully, assume it's just another box asking you to confirm something non-destructive and just hit enter to OK it. It's also very easy to assume they couldn't possibly really mean replace because nobody sane would ever want to do that.

If you are not listed as "can read/change permissions" in the folder's ACL, you cannot change them, no matter who or what you are. All Users, Administrators, Builtins, even nt authority\system, are treated equally by the security code. (The system-wide "Take ownership" privilege is an exception, but it cannot modify the ACL either, only reset it.)

You must log in as someone who is allowed to do this, either directly (username + password) or – if you have a lot of spare time – by doing some SeCreateTokenPrivilege wizardry.

Old question but still high on the Google results. And it's missing a significant answer...

It is actually possible to grant yourself access while preserving existing permissions, but you need to get hold of subinacl.exe, a little command line tool originally from Microsoft's Windows Resource Kits.

subinacl /file "examplefileorfolder" /grant=mydomain\myusername=F

You need local admin access on the target obviously (run from elevated command prompt).

You can also do it recursively for example:

subinacl /subdirectories "C:\examplefolder\*" /grant=mydomain\myusername=F

But recursively does create an explicit ACE (not inherited) at every single subfolder at every level, which is very messy if you have a fairly big directory structure. Also note you need the asterisk, recursion doesn't work without that for some reason.

I'd only reccomend using it as a last resort though, and practice it on a test area first with some none-essential data, as it's an old utility, and can be a bit temperamental if using recursion (subdirectories) as explained above.

It is OK to use the "Replace owner on subcontainers and objects" checkbox highlighted in green. It is not OK to sue the "Replace all child object permissions entries" checkbox highlighted in red. The latter one will replace existing ACLs (permissions) rather than just changing the owner.